CCleaner v5.63 "Important Security Updates"

[lmacri]

Does anyone have further details about the "important security updates" in CCleaner v5.63.7450 (released 15-Oct-2019) and whether this update is being pushed out via the CCleaner Emergency Updater to users who do not have automatic updating enabled?  Was there a change to the security certificates, or is there an exploitable vulnerability in versions v5.57 and higher that has an associated CVE number?

From Ben CCCleaner's official product update announcement <here> :

Quote

"In this release we have included some important security updates and minor UI improvements and bug fixes. 

General

• Users on versions v5.57 through to v5.62 have been automatically updated to the new version to take advantage of its enhanced security and improved performance. Users will not notice any change to any of their product settings and can continue to use it as normal
• Minor UI changes and bug fixes..."

[hazelnut]

I did ask about the 'Important security updates' but received no reply Imacri.

So we are all waiting to hear what it was  

[nottelling]

I am also interested in the changes in this update.  As a user of old versions (not a fan of later UI changes) I'd like to know what type of risk I am at continuing to us them.  I hope an admin can let us know. 

I am guessing it has to do with the traffic the program sends back and forth (telemetry, etc) as I can't think what else CCleaner does network related but yeah, just guessing!

Thanks.

[Dave CCleaner]

For 5.63 we released with a new signing certificate as a precautionary security measure (https://www.ccleaner.com/news/blog/2019/10/21/ccleaner-version-563-preventative-update-as-part-of-our-zero-tolerance-policy-against-cybercrime

For users on older versions, "we are confident to say that our CCleaner users are protected and unaffected".  That said, as always:

1. We recommend that people use the latest version of our software - or any other software for that matter.
2. As has been mentioned in these pages before, only versions of CCleaner from 5.46 and above are recommended for use on Windows 10. 
3. Users impacted by the bug that causes notifications to appear more often than intended are recommended to update to CCleaner 5.54 or higher.
4. While the new "Easy Clean" experience (released in CCleaner 5.57) has been extremely popular with most of our users, those who prefer the old-style of cleaning can still find the interface they are more familiar with under "Custom Clean" and set that to be their default cleaning mode to continue to use CCleaner in the same way as they did with previous versions while still enjoying the latest updates to cleaning rules that come with the newer releases.

[hazelnut]

@lmacri

Also see here

https://blog.avast.com/ccleaner-fights-off-cyberespionage-attempt-abiss

[lmacri]

Thanks to both Dave CCleaner and hazelnut for their replies and links to blog entries that include further details about this internal network breach.

[Dave CCleaner]

The advantages of having a "Big Uncle" who is a security company - we're a harder target than we were back in 2017.

[Michael88]

In my case I have several computers that were automatically updated to 5.63 BUT one machine that I hadn't used for a while had 5.58 so I downloaded 5.63 using the official download from piriform and put it on a CD using another machine. I tried to instal 5.63 offline using the cd on the machine that had not been updated automatically, and the installation/update came to a halt, something to do with CCUpdate.exe is this anything to be concerned about ?

As a precaution I uninstalled ccleaner from that machine and will instal another product soon .

[lmacri]

1 hour ago, Dave CCleaner said:

The advantages of having a "Big Uncle" who is a security company - we're a harder target than we were back in 2017.

 

Hi Dave CCleaner:

According to the 21-Oct-2019 Avast blog entry Avast Fights Off Cyber-Espionage Attempt, Abiss that hazelnut referenced <above>:
 

Quote

"...When analyzing the external IPs, we found that the actor had been attempting to gain access to the network through our VPN as early as May 14 of this year.

After further analysis, we found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA....

...On September 25, we halted upcoming CCleaner releases and began checking prior CCleaner releases and verified that no malicious alterations had been made. As two further preventative measures, we first re-signed a clean update of the product, pushed it out to users via an automatic update on October 15, and second, we revoked the previous certificate. Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected...."

 

If I understood that article correctly, hackers managed to access Avast's internal network several times over a four-month period using stolen login credentials and somehow managed to attain domain admin priviledges before these incursions were detected.  They might not have managed inject malware into the CCleaner installer as they did in 2017 (see the BleepingComputer article Avast Clarifies Details Surrounding CCleaner Malware Incident for more information about a 2017 supply chain attack where the CCleaner v5.33 installer was infected with a Floxif trojan and released to users) but it sounds to me like "Big Uncle" still has room for improvement when its comes to securing their network access.

[Dave CCleaner]

45 minutes ago, Michael88 said:

 I tried to instal 5.63 offline using the cd on the machine that had not been updated automatically, and the installation/update came to a halt, something to do with CCUpdate.exe is this anything to be concerned about ?

@Michael88: No concerns if you downloaded from CCleaner and not a third party website.  Sounds like it might have been this? 

 

[Michael88]

No it wasn't as you have shown. The error message mentioned ccupdate.exe and the message gave the option to cancel, skip that file or continue. I have since reverted my hard drive to 31st August and then uninstalled ccleaner (also removed ccupdate.exe) and did another backup. So if it doesn't instal today my system will not have to go back very far. I don't normally have problems with installing programs, so it is a mystery. I did check the hash file etc at the time before installing and they did match

[Michael88]

Tried another instal today and missed the option to uncheck installing Google Chrome ! So when this started installing as well as ccleaner I went to my system backup. If you have an "arrangement" with Chrome to add an option to istal their browser, it should be shown more clearly.

However the outcome is  I did then successfully instal ccleaner 

[Eric Collart]

Hello,

don't know what's happening and if only my PC is concerned or not but I cannot install 5.63 free anymore on my Win 10 (1809) protected by BitDefender free !

There is no event reported by BitDefender free.

Setup starts, ask to confirm admin right, then extract all installation files then the extraction progress popup disappears and nothing more happens !

Starting digging in event log files and found this pointing to BitDefender:

Nom du journal :Application
Source :       Application Error
Date :         15-11-19 12:47:21
ID de l’événement :1000
Catégorie de la tâche :(100)
Niveau :       Erreur
Mots clés :    Classique
Utilisateur :  N/A
Ordinateur :   Eric-PC
Description :
Nom de l’application défaillante ccsetup563.exe, version : 5.63.0.7540, horodatage : 0x5682fc79
Nom du module défaillant : atcuf32.dll, version : 1.28.222.0, horodatage : 0x5d874f64
Code d’exception : 0xc0000005
Décalage d’erreur : 0x00002d8e
ID du processus défaillant : 0x319c
Heure de début de l’application défaillante : 0x01d59baa6c9ac2f3
Chemin d’accès de l’application défaillante : F:\Eric\Downloads\ccsetup563.exe
Chemin d’accès du module défaillant: C:\Program Files\Bitdefender Antivirus Free\atcuf\264334846398198787\atcuf32.dll
ID de rapport : d068f6be-68c3-41ac-81b7-1a189fdcd08f
Nom complet du package défaillant :
ID de l’application relative au package défaillant :
XML de l’événement :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-11-15T11:47:21.473543700Z" />
    <EventRecordID>34072</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Eric-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ccsetup563.exe</Data>
    <Data>5.63.0.7540</Data>
    <Data>5682fc79</Data>
    <Data>atcuf32.dll</Data>
    <Data>1.28.222.0</Data>
    <Data>5d874f64</Data>
    <Data>c0000005</Data>
    <Data>00002d8e</Data>
    <Data>319c</Data>
    <Data>01d59baa6c9ac2f3</Data>
    <Data>F:\Eric\Downloads\ccsetup563.exe</Data>
    <Data>C:\Program Files\Bitdefender Antivirus Free\atcuf\264334846398198787\atcuf32.dll</Data>
    <Data>d068f6be-68c3-41ac-81b7-1a189fdcd08f</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

Thanks for help

Eric Collart (Belgium)

Edited November 15, 2019 by Eric Collart
Add event log entry text

[Eric Collart]

Ok, just found 2 other threads about same problem and one also with BitDefender...

I was able to install 5.63 using the Slim installer you can find at https://www.ccleaner.com/fr-fr/ccleaner/builds

It seems other antiviruses block 5.63 as a precaution ... The bad stuff is there is no notification (same for user using Defender)

Eric Collart